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(54) Personal identification FOB 

(57) Apparatus, and a method for Its use. for auto- 
matically verifying the identity of a person seeking 
access to a protected property, such as a car. room, 
building or automatic teller machine. The apparatus, 
which is disclosed in the form of a handheld fob (14), 
includes a sensor (16) for reading biometric data, such 
as a fingerprint Image, from the person (12), and a cor- 
relator (28) for conrparing the sensed data with a previ- 
ously stored reference image (32) and for determining 
whether there is a match. If there is a match, the fob 
(14) initiates an exchange of signals with the "door" (10) 
that protects the property. Specifically, the fob (14) gen- 
erates a numerical value, such as a cyclic redundancy 
code, from the stored reference image (32). encrypts 
the numerical value, and transmits it to the door (10) as 
confirmation of the person's identity. For further security, 
the person (12) registers this numerical value at each 
door (10) to which access is desired. Upon receipt of 
identity confirmation from the fob (14). the door (10) 
conpares the received numerical value with the one 
stored during registration, before granting access. 




FIG. 1 
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Description 

BACKGROUND OF THE INVENTION 

[0001 ] The present invention relates generally to per- 
sonal identification or verification systems and, more 
particularly, to systems that automatically verify a per- 
son's identity before granting access to something of 
value. Traditionally, keys and locks, or combination 
locks, have been used to limit access to property, on the 
theory that only persons with a right to access the prop- 
erty will have the required key or combination. This tra- 
ditional approach is, of course, still widely used to limit 
access to a variety of enclosed spaces, including 
rooms, buildings, automobiles and safe deposit boxes in 
banks. In recent years, mechanical locks have been 
supplanted by electronic ones actuated by encoded 
plastic cards, as used, for example, for access to hotel 
room doors, or to bank automatic teller machines 
(ATMs). In the latter case, the user of the plastic card as 
a "key" to a bank account must also supply a personal 
identification number (PIN) before access is granted. 
[0002] Many automobiles are protected both by locks 
and by intrusion alarms, which are typically activated 
and deactivated using a small radio or infrared transmit- 
ter carried by the car owner as a key-chain fob. Altiiough 
this type of device Is convenient, its loss by the owner 
may render the vehicle just as vulnerable to theft as if 
mechanical keys had been used for protection. 
[0003] Today, a person still needs to carry a variety of 
keys for access to home, workplace and car, and an 
ever expanding stack of plastic cards for access to 
financial assets, such as bank accounts and store 
charge accounts. Toda/s busy person must memorize 
several passwords and PINs for use in conjunction with 
the plastic cards, and for use to access computer soft- 
ware that may or may not require an access card as 
well. Moreover, all of the foregoing devices for limiting 
access are subject to theft, duplication and misuse. 
Assets protected by mechanical keys are the most vul- 
nerable, of course, but assets protected by combina- 
tions, passwords and PINs are also subject to illegal 
entry by unauthorized users who have stolen, deduced 
or guessed the appropriate combination, password or 
PIN. 

[0004] Accordingly, there Is a widely felt need for a 
more reliable technique for limiting access to personal 
property and other valuable assets. Ideally, tiie tech- 
nique shouki positively verify the identity of the person 
seeking access, and shoukJ eliminate the need to cany 
multiple keys and scannable cards, and the need to 
memorize combinations, passwords and PINs. The 
present invention satisfies this need. 

SUMMARY OF THE INVENTION 

[0005] The present invention resides in apparatus, 
and a method for its use. for automatically verifying the 



kf entity of a person seeking access to a protected prop- 
erty. The protected property may take a variety of forms, 
such as a buiteling, a room, an autonrx)bile or a financial 
account. For purposes of explanation, access to the 

5 protected property is said to be obtained through a 
"door." In many cases, if the property is an automobile, 
a room or a buikJing, for example, it will in facX have a 
physical door through which access is obtained. Other 
types of protected property will not have a physical entry 

10 door, but may still be conskJered to have a "door" for 
purposes of the present invention. In accordance with 
an important aspect of tiie invention, a person may 
securely access a door that Is located right next to the 
user or one tiiat Is thousands of miles away. 

15 [0006] Briefly, and in general temis, the apparatus of 
tiie present invention comprises a sensor, for reading 
biometric data identifying a person seeking access to a 
protected property: storage means, for storing refer- 
ence biometric data klentifying a person authorized to 

20 have access to tiie protected property; a conelator. for 
comparing tiie stored reference txometric data with tiie 
biometric data of the person seeking access and deter- 
mining whether they match; and means for securely 
communicating Identity confirmation to a door that pro- 

25 vides access to tiie protected property upon receipt of 
the kJentity confirmation. The apparatus may further 
comprise a user interface having a first switch to initiate 
operation of tiie apparatus in a verification mode, and a 
second switch, actuation of which places tiie apparatus 

30 in an enroll mode of operation, wherein biometric data 
from the sensor are stored in the storage means for 
subsequent retrieval in tiie verification mode of opera- 
tion. 

[0007] In the disclosed emt>odiments of the invention. 

35 the sensor, the storage means and the correlator are all 
contained in a portable device, which may be a fob car- 
ried by the person, or some other type of communica- 
tion device remote from the protected property. In the 
disclosed embodiments, the means for securely com- 

40 munlcating identity confirmation includes means for 
generating a numerical value from the stored reference 
biometric data; encryption logic, for encrypting the 
numerical value; and a communication Interface for 
sending the encrypted numerical value to the door. 

45 togetiier with kJentif ication data for the person. The door 
provides the desired access to the protected property 
upon confirming tiiat the transmitted numerical value is 
tiie same as one previously provkfed by the person dur- 
ing a registration procedure. 

so [0008] The apparatus of the invention may further 
include a receiver, for receiving an encryption key gen- 
erated by and transmitted from tiie door, and means for 
storing a private encryption key in tiie portable device. 
Further, the encryption logic In the device Includes 

55 means for doubly encrypting the numerical value using 
tiie encryption key received from the door and the pri- 
vate enayption key. 

[0009] The apparatus of the invention may also be 
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defined as a portable fob that includes a sensor, for 
reading fingerprint data identifying a user seeking 
access to a protected property; a memory for storing a 
reference fingerprint Image of the user during an enroll- 
ment procedure and for holding the reference Image for 
future use; an image oonrelator. for comparing the 
stored reference image with a fingerprint Image of the 
user seeking access, as obtained from the sensor, and 
for determining whether the two images match; and 
means for securely comnmjnicatlng identity confirmation 
to a door that provides access to the protected property 
upon receipt of the identity confirmation. More specifi- 
cally, the means for securely oommunfoating Identity 
confirmation includes means for generating a numerical 
value from the stored reference fingerprint image; 
encryption logic, for encrypting the numerical value; and 
a transmitter for sending the encrypted numerical value 
to tiie door, together with user identification data. The 
door provides the desired access to the protected prop- 
erty upon confirming that the transmitted numerical 
value is the same as one previously provided by the 
user during a registration procedure. 
[0010] In the personal identification fob as defined in 
the previous paragraph, the means for generating a 
numerical value includes means for generating a cyclic 
redundancy code from the stored reference fingerprint 
image. The fob further includes a receiver, for receiving 
an encryption key generated by and transmitted from 
the door; and means for storing a private encryptfon key 
in the fob. The encryption logic in the fob includes 
means for doubly encrypting tiie numerical value using 
the encryption key received from the door and the pri- 
vate encryption key 

[001 1 ] In terms of a novel metiiod, the invention com- 
prises the steps of sensing biometric data of a user, 
through a sensor that is part of a personal identification 
device carried by the user; comparing the sensed bio- 
metric data with reference biometric data previously 
stored in tiie personal identification device; determining 
whetiier tiie sensed biometric data match the reference 
biometric data; if there is a match, securely communi- 
cating an identity confirmation to a door that controls 
access to tine protected property; and upon confirma- 
tion of the identity of the user at the door, actuating a 
device tiiat provides tiie desired access. The metiiod 
further comprises the step of initiating normal operation 
of the personal identification device by means of a man- 
ual switch. 

[0012] In one embodiment of the metiiod. there are 
optional steps of receiving a "wake-up" message from 
the door on approaching It to seek access; and initiating 
normal operation of the personal identification device on 
receiving the "wake-up" message. The step of securely 
communicating includes generating a numerical value 
from tiie stored reference biometric data; encrypting tiie 
numerical value; transmitting the encrypted numerical 
value to the door; transmitting user identification data to 
tiie door; receiving and decrypting the enaypted 



numerical value at the door; comparing the decrypted 
numerical value with one previously stored at the door 
by tiie user during a registration process, to confirm the 
identity of the user; and if the identity of tiie user is con- 
5 firmed, activating a desired function to provide access 
to the protected property. 

[001 3] More specifically, the step of securely commu- 
nicating further comprises the steps of generating at the 
door a random pair of door public and private encryption 

10 keys: transmitting the door public key to the personal 
Identification device; selecting for the personal identifi- 
cation device a pair of public and private encryption 
keys for all subsequent uses of tiie device: providing the 
personal identification device public key to the door as 

15 part of tiie door registration process; and storing tiie 
personal identification devlciB private key secretly in the 
device. The enaypting step includes douk)ly encrypting 
the numerical value with the door public key and the 
personal identification device private key The method 

20 forther includes the step, performed at the door, of 
decrypting tiie doubly encrypted numerical value using 
tiie personal identification device public key and the 
door private key 

[0014] it will be appreciated from tiie foregoing ttiat 
25 tfie present invention represents a significant advance 
in providing secure access to txjildings, vehicles, com- 
puters, or any other protected property More particu- 
larly, tiie invention allows multiple properties or assets 
to be accessed using a single security device, which 
30 reliably identifies its owner using biometric data, such 
as a fingerprint. Because identification is verified in a 
small portable device, communicatfon with multiple 
"doors" to protected property can be limited to a simple 
identity confirmation message, appropriately encrypted 
35 to prevent eavesdropping or reverse engineering. Other 
aspects and advantages of the invention will become 
apparent from tiie foltowing more detailed description, 
taken in conjunction with the accompanying drawings. 

40 BRIEF DESCRIPTION OF THE DRAWINGS 

[0015] 

FIG. 1 is a diagram illustrating an application of the 
45 invention, wherein a portable device Is used to open 

a door to a protected property located nearby; 

FIG. 2 is a block diagram depicting the principal 

components of tiie present invention; 

FIG. 3 is a more detailed block diagram showing the 
50 components of a processor module shown in FIG. 

2: and 

FIG. 4 is a block diagram showing a sequence of 
signals transmitted between the portable device 
and a door to protected property. 

55 
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DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

[001 6] As shown in the drawings for purposes of illus- 
tration, the present invention pertains to a system for s 
automatic verification of the identity of a person seeking 
access to protected property. Traditionally, property has 
been protected by mechanical locks and keys, or by 
combination locks or electronic devices requiring the 
memorization of combinations, passwords and personal io 
identification numbers (PiNs). 
[0017] In accordance with the present invention, the 
person seeking access to protected property carries a 
portable device that includes a sensor capable of 
obtaining selected biometric measurements associated is 
with the person, and communicating with a related 
device located near the "door" of the protected property. 
Preferably, the portable device also includes identity 
verification means, which compares the biometric 
measurements obtained from the sensor with corre- 20 
sponding measurements stored in a reference set of 
biometric measurements that were obtained from the 
same person during an enrollment procedure per- 
formed earlier. 

[0018] FIG. 1 shows diagrammatically how the inven- 2s 
tion is used to open a "door," indicated by reference 
numeral 10, to protected property. A person 12 seeking 
entry to the door 1 0 carries a small handheld device 1 4, 
which may take the form of a fob. The fob 1 4 communi- 
cates with a receiver 1 5 located near the door 1 0. In the so 
presently preferred embodiment of the invention, the fob 
14 or similar portable device includes a biometric sen- 
sor, which, in the presently preferred embodiment of the 
invention, Is a fingerprint sensor 16. It will be under- 
stood, however, that the principles of the invention are ss 
also applicable to a device that enrploys other biometric 
properties to identify the user 12, such as print patterns 
from other parts of the anatomy, or iris patterns of the 
eye. 

[001 9] When the user 1 2 places a finger over the sen- 40 
sor 16 and actuates a switch, the person's fingerprint is 
scanned and is compared with a reference fingerprint 
image stored in the fob 14. which includes a fingerprint 
correlator for this purpose. If the comparison results in a 
match, the fob 1 4 transmits a confirming message to the 45 
door 10, which is opened to allow access by the user 
12. 

[0020] The nature of the confirming message sent to 
the door 10 is of considerable importance, because a 
simple "OK" or "open" signal in a standardized format so 
would be easy to duplicate in a "cloning" process, and 
unauthorized access would be a relatively simple mat- 
ter. The confirrhing message should ideally be in the 
same format for different access "doors," but should be 
encoded or encrypted in a way that prevents its duplica- ss 
tion and prevents reverse engineering of the fob 14. 
Details of one technique for accomplishing these goals 
are provided below. 



[0021 ] FIG. 2 shows the principal components of the 
fob 14, including the fingerprint sensor 16. a processor 
module 20, a transceiver 22 and a battery power supply 
24. The finger print sensor 16 may be of any available 
design, and may include a capadtive or optical sensor. 
The sensor 16 produces a binary or grayscale image of 
a portion of the user's fingerprint. For rapid processing, 
the entire image may not be used in the conparison 
process that follows, but what the sensor 16 provides is 
a detailed "map" of the fingerprint Including all of its 
ridges and valleys. The processor module 20 is shown 
in mae detail in FIG. 3. 

[0022] The processor module 20 includes a processor 
26. which may be. for example a RISC (reduced instiiic- 
tion set computer) processor, a fingerprint matcher, 
which is a feature con-elator 28 in the prefen^ed embod- 
iment of the invention, a cyclic redundancy code (ORG) 
generator 30. storage 32 for a reference fingerprint 
image, encryption logic 34 and storage 36 for a private 
encryption key. The fob 14 also includes a user interface 
38 through which the user 12 initiates operation in vari- 
ous modes. Basically, the user interlace 38 includes one 
main operating button, which may be incorporated into 
the fingerprint sensor 16, and at least one additional 
button to initiate operation in the enrollment mode. The 
principal function of the RISC processor 26 is to pre- 
process and enhance the fingerprint image provided by 
tiie sensor 16. Pre-processing includes "cleaning" tiie 
image, cropping tiie image to eliminate background 
effects, enhancing contrast in the image, and converting 
tiie Image to a more manageable binary form. In the 
enrollment mode, the pre-processed image is stored in 
ttie reference image storage area 32, as indicated by 
ttie broken line 40. Enrollment is performed when the 
user first acquires the fob 14, and is normally not 
repeated unless the fob is lost or damaged. For addi- 
tional security and convenience, the user may be asked 
to enroll two fingerprints, to allow for continued access if 
the user injures a finger, for example. In a verification 
mode of operation, tiie pre-processed fingerprint Image 
Is input to tiie correlator 28. as indicated by line 43, 
where it is compared with the reference image obtained 
from storage 32 over line 44. The con-elator 28 uses an 
appropriate technique to compare tiie images, depend- 
ing on the level of security desired. Because speed of 
operation is an important factor, a bit-by-bit comparison 
of the entire images is usually not performed. Ratiier. 
significant features of tiie reference image are identified 
and tfie same features are looked for in tiie newly 
scanned image. The techniques disclosed in U.S. Pat- 
ent No. 5,067,162 may, for example, be incorporated 
into the correlator 28 for some applications of the fob 1 4. 
Preferably, the fingerprint con'elator 28 should follow the 
teachings of a co-pending patent application entitied 
"Fingerprint Feature Con^elator." by inventors Bruce W. 
Evans et al.. which is hereby incorporated by reference 
into this specification. As a result of tiie comparison of 
tiie images, the correlator 28 may generate a match sig- 
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nal on line 46, which activates the CRC generator 30. If 
a no-match signal is generated, as indicated on line 48, 
no further processing is performed. Optionaily; the no- 
match signal on line 48 may be used to actuate an indi- 
cator on the user interlace 38. 
[0023] The cyclic redundancy code (CRC) generator 
30. when actuated by a match signal on line 48. gener- 
ates a relatively long (such as 128 bits) binary nunrt^er 
derived from the reference image data. The CRC pro- 
vides a single number that for all practical purposes, 
uniquely identifies the stored reference fingerprint 
image. Even if two fingerprint images produced the 
same CRC, which is highly unlikely, the security of the 
system of the invention would not be compromised, as 
will shortly become clear. 

[0024] The CRC itself is not stored in the fob 14. but is 
transmitted in encrypted form to the door receiver 15. 
Before using the fob 14 for access to a particular door 
10 for the first time, the user 12 must first "register" at 
the door. The registration process is one in which an 
administrator of the door stores the user's name (or 
account number, or other identifying information), In 
association with a public encryption key to be used in 
the user's fob 14, and the user's CRC as derived from 
the user's reference fingerprint. If the door 10 provides 
access to a financial institution, for example, the user 
will register by bringing his or her fob 14 to the Institu- 
tion, and transmitting the fingerprint CRC from the fob to 
the door receiver 15. In the registration mode, the door 
receiver 15 will store the user's CRC in association with 
the user's name or other identifying information. As part 
of the registration process, the user 12 will normally be 
required to present some form of identification other 
than the fob 14. to prove to the institution that the user 
is. in fact, the one whose name or other identifying infor- 
mation is presented and will be stored in the door 10. 
[0025] The registration process for access to more 
personal properties, such as one's automobile, is much 
simpler, but the user's name or other kientifying infor- 
mation is still stored in the door in associatbn with the 
CRC and the fob public encryption key. Even personal 
properties, such as automobiles, shoukJ have the capa- 
bility to store several different sets of personal informa- 
tion, for use by multiple family members, for example. 
As will now be ecplained In more detail, in a subsequent 
use of the fob 14 for access to a door 10 at which the 
user has registered, the fob transmits a user name and 
the CRC corresponding to the stored reference image. 
Logic at the door 10 then compares the received CRC 
with the one that was stored for the named user during 
registration. If there is a match, the door is opened for 
the user. 

[0026] FIG. 4 shows the communications that pass 
between the fob 14 or other personal Identification 
device and a door 10. four different forms of which are 
shown, including a car door 10.1. a building door 10.2, 
an automatic teller machine (ATM) 10.3, and a compu- 
ter 10.4. Each door 10 has an actuator 50. to perform 



some desired operation, such as openir^ the door, and 
each door also has a database 52 in which is stored the 
user name, the user fob put)llc encryption key and the 
user CRC. for each user registered to use the door. 

5 [0027] When the user actuates the fob 14. the user 
name is transmitted to the door 10 in non-encrypted 
form, as indicated by line 54. Optionally, this step may 
be triggered automatically as the user approaches the 
door 10. As indicated by line 56. the door 10 may trans- 

10 mit a 'Vvake-up" call that is received by an approaching 
fob 14, which then transmits the user name. 
[0028] On receiving the user name, the doa 10 gen- 
erates a random pair of public and private encryption 
keys to be used in the ensuing exchange of messages. 

15 Since public key encryption is used in this illustrative 
entxxfiment of the invention, a few words of explanation 
are called for, but it will be understood that the principles 
of public key encryption are well understood in the f ieki 
of secure communication. 

20 [0029] In public key encryption, two separate encryp- 
tion keys are used: a "public" key (potentially known to 
everyone and not kept secret), and a "private" key 
(known to only one party In a communication from one 
party to another). The pair of public-private keys has the 

25 property that, If either of them Is used to encrypt a mes- 
sage, the other one of the pair will decrypt the message. 
For example, party A can send a secure message to 
party B by first encrypting with B's public key Only B 
can decrypt the message, because only B has B's pri- 

30 vate key needed for decryption. Similarly, B could send 
an encrypted message to A using B's private key for 
encryption. A coukl decrypt the message with B's public 
key. but so coukJ anyone else, because B's public key 
may be known to others. Therefore, the message trans- 

35 mitted using this 't)ackwafd" form of public key encryp- 
tion woukj not be secure. 

[0030] The illustrative embodiment of tfie present 
Invention uses a double encryption form of public key 
encryption. Both tiie fob 14 and the door 10 have a pub- 

40 llc-private key pair. As presently contemplated, tiie fob 
14 of the Invention will have a lixed" public and private 
key pair, that is to say the public and private keys will not 
changed from one use of tiie fob to tiie next. The fob 
public key is registered witii each door 10 and it would 

45 be impractical to change tt for every use. The fob private 
key is stored (at 36. FIG. 3) in tiie fob 1 4. preferably in a 
form in which it cannot be discerned by inspection or 
reverse engineering. The key may, for exan^le, be 
encoded Into the silicon structure of the processor mod- 

50 ule 20 in such a way that it is practically indecipherable 
by any normal reverse engineering technique. Each 
door 10 generates a new public-private key pair on 
every new use of tiie door. Thus, these keys cannot be 
determined in advance of tiie actual message exchange 

55 with a fob 14. 

[0031] Upon receipt of a user name from the fob 14, 
tiie door 10 to which access is sought generates a ran- 
dom pair of public-private keys, and ti-ansmlts ttie public 
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key to the fob without encryption, as indicated by line 
58. Then, if the fob 14 has validated the user's identifi- 
cation by successfully matching the sensed fingerprint 
image with the reference image, the fob performs two 
levels of encryption on the CRC that is generated. Rrst. 
the encryption logic 34 in the fob 14 encrypts the CRC 
using the door's public key. Then the resulting encrypted 
CRC is doubly encrypted using the fob's private key 
The doubly encrypted CRC is transmitted to tfie door 
10, where it is deaypted using the fbb*s public key and 
then using the door's private key to recover the CRC. 
The door 10 then compares this CRC with the CRC in 
its database 52 associated with the user name seeking 
access to the door. If there is a match, the door 10 sig- 
nals its actuator 50 to open the door or to perform some 
otiier desired operation. 

[0032] It will be appreciated from this descrq;)tion tiiat 
the invention provides an extremely secure technique 
for accessing protected property. The fob 1 4 is designed 
such that is cannot initiate a door opening operation 
without first matching the fingerprint of the user with the 
stored reference image. Even if a fob thief successfully 
re-enrolls his own fingerprint into the fob. the CRCs 
stored in each of the doors where tiie rightful user is 
registered would prevent operation of tiie doors by the 
thief. 

[0033] Someone attempting to fabricate a "cloned" fob 
would not have the fob private key. so the door would be 
unable to decrypt messages from the cloned fob. If 
someone were to eavesdrop on a fob transmission and 
try to emulate tiiis message in a subsequent attempt to 
open the same door, this approach would be foiled by 
the door's use of a different set of keys for each transac- 
tion. Therefore, the fob's encrypted message to any 
door will be different on each occasion. 
[0034] An additional level of security may be provided 
by storing tiie CRC at tiie door 10 in an internally 
encrypted form, to prevent theft of CRCs from doors. 
[0035] It will be understood from tiie foregoing tiiat the 
present invention represents a significant advance in 
the field of security devices for limiting access to prop- 
erty. In particular, the invention allows a person to obtain 
access to many different properties using a single hand- 
held device tiiat verifies its owner's identity very reliably, 
using unique biometric parameters, such as those 
found in a fingerprint. Moreover, tiie device of tiie inven- 
tion Is highly resistant to reverse engineering, "cloning" 
and other techniques for tampering to obtain access to 
the protected properties. It will also be appreciated that, 
although a specific embodiment of the invention has 
been described in detail for purposes of illustration, var- 
ious modifications may be made without departing from 
the spirit and scope of the invention, which should not 
be limited accept as by the appended claims. 

Claims 

1 . Apparatus for automatically verifying tiie identity of 



a person seeking access to a protected property, 
the apparatus comprising: 

a sensor, for reading biometric data identifying 
5 a person seeking access to a protected prop- 

erty; 

storage means, for storing reference biometric 
data identifying a person authorized to have 
access to the protected property: 

10 a con-elator, for comparing the stored reference 

biometric data witii the biometric data of the 
person seeking access and determining 
whether they match; and 
means for securely communicating identity 

15 confirmation to a door tiiat provides access to 

the protected property upon receipt of the iden- 
tity confirmation. 

2. Apparatus as defined in daim 1. and furtiier oom- 

20 prising: 

a user interface having a first switch to initiate 
operation of tiie apparatus in a verification 
mode, and a second switch, actuation of which 

25 places the apparatus in an enroll mode of oper- 

ation, wherein biometric data from the sensor 
are stored in tiie storage means for subsequent 
retrieval in tiie verification mode of operation; 
and/or wherein: 

30 the sensor, the storage means and tiie correla- 

tor are all contained in a portable device. 

3. Apparatus as defined in daim 2. wherein: 

35 the sensor, the storage means and tiie correla- 

tor are all contained in a portable fob carried by 
the person; and/or wherein: 
the sensor, the storage means and tiie correla- 
tor are ail contained in a communication device 

40 remote from the protected property; and/or 

wherein the means for securely communicating 
identity confirmation includes: 
means for generating a numerical value from 
the stored reference biometric data; 

45 encryption logic, for encrypting tiie numerfoal 

value; and 

a communication interlace for sending the 
encrypted numerical value to the door, together 
witii identification data for the person; 

50 wherein the door provides tiie desired access 

to the protected property upon confirming that 
the transmitted numerical value is the same as 
one previously provided by the person during a 
registration procedure; and 

55 said apparatus preferably furtiier comprising: 

a receiver, for receiving an encryption key gen- 
erated by and transmitted from tiie door; and 
means for storing a private enayption key in 
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the portable device; 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from 
the door and the private encryption key. 5 

4. A personal klentif ication fob for automatically verify- 
ing the identity of a user seeking to use the fob for 
access to a protected property, the fob comprising: 

10 

a sensor, for reading fingerprint data identifying 
a user seeking access to a protected property; 
a menfK)ry for storing a reference fingerprint 
image of the user during an enrollment proce- 
dure and for holding the reference image for is 
future use; 

an image correlator, for comparing the stored 
reference image with a fingerprint image of the 
user seeking access, as obtained from the sen- 
sor, and for determining whether the two 20 
images match; and 

means for securely communinating identity 
confirmation to a door that provides access to 
the protected property upon receipt of the iden- 
tity confirmation. 2s 

5. A personal identification fob as defined in claim 4. 
wherein the means for securely communicating 
identity confirmation includes: 

; 30 
means for generating a numerical value from 
the stored reference fingerprint image; 
enayption logic, for encrypting the numerical 
value; and 

a transmitter for sending the encrypted numer- 35 
ical value to the door, together with user identi- 
fication data; 

wherein the door provides the desired access 
to the protected property upon confirming that 
the transmitted numerical value is the same as 40 
one previously provided by the user during a 
registration procedure; and 
wherein preferably the means for generating a 
numerical value includes means for generating 
a cyclic redundancy code from the stored refer- 45 
ence fingerprint image: and/or 
saki personal kJentification fob preferably fur- 
ther comprises: 

a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door; and so 
means for storing a private encryptfon key in 
the fob: 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from 55 
the door and the private encryption key 

6. A method for automatically verifying the identity of a 



user seeking access to a propertiy protected by a 
door, the method comprising the steps of: 

sensing biometric data of a user, through a 
sensor that is part of a personal identificat'on 
device earned by the user; 
comparing the sensed biometric data with ref- 
erence biometric data previously stored in the 
personal kientif ication device; 
determining whether the sensed biometric data 
match the reference biometric data; 
if there is a match, securely communicating an 
identity confirmation to a door that controls 
access to the protected property; and 
upon confirmation of the identity of the user at 
the door, actuating a device that provides the 
desired access. 

7. A method as defined in daim 6, and further com- 
prising the step of: 

initiating normal operation of the personal iden- 
tification device by means of a manual switch; 
and/or further comprising the steps of: 
receiving a "wake-up" message from the door 
on approaching it to seek access; and 
initiating normal operation of tiie personal kien- 
tification device on receiving the "wake-up" 
message; and/or 

wherein the step of securely communicating 
includes: 

generating a numerical value from the stored 
reference biometric data; 
encrypting tiie numerical value; 
transmitting the encrypted numerical value to 
the door; 

transmitting user identification data to the door; 
receiving and decrypting the encrypted numer- 
ical value, at tiie door; 

comparing the decrypted numerical value with 
one previously stored at the door by the user 
during a registi'ation process, to confirm the 
identity of the user; and 
if the identity of tiie user is conf irmed, activating 
a desired function to provide access to the pro- 
tected property; and 

wherein the step of securely communicating 
preferat}ly further conprises: 
generating at the door a random pair of door 
public and private encryption keys; 
transmitting the door public key to the personal 
identification device; 

selecting for tiie personal identification device a 
pair of put^lic an private encryption keys for all 
subsequent uses of the device; 
providing the personal identification device 
public key to ttie door as part of the door regis- 
tration process; and 
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storing the personal identification de^'ce pri- 
vate key seaetly in the device; 
and vyfheretn the encrpyting step includes dou- 
bly encrypting the numerical value with the 
door public key and the personal klentification 5 
device private key: and 

wherein door preferably perfornts the additional 
step of: decrypting the doubly encrypted 
numerical value using the personal identifica- 
tion device public key and the door private key. 10 

8. A method for a user to obtain access to property 
protected by a normally locked door, the method 
including the steps of: 

IS 

pladng a finger on a fingerprint sensor in a fob 
while approaching a door; 
actuating the fob to sense and record a finger- 
print of the user; 

companing the sensed fingerprint with refer- 20 
ence fingerprint data previously stored in the 
fob; 

upon a successful comparison, transmitting an 
identity confirmation from the fob to the door 
that protects the property; and 2S 
unlocking the door upon receipt of an identity 
confirmation. 

9. A method as defined in claim 8, wherein the step of 
transmitting and identity confirmation includes: 30 

encrypting the identity confirmation in the fob; 
and 

deaypting the identity confirmation at the door. 

35 

10. A method as defined in daim 9, wherein: 

the step of encrypting includes doubly enaypt- 
ing; and 

the step of decrypting includes doubly deaypt- 40 
ing; and 

wherein the step of doubly encrypting prefera- 
bly includes first encrypting the identity confir- 
mation using a public door encryption key 
generated in and received from the door and 45 
then further encrypting using a private fob 
encryption key stored in the fob; and 
the step of doubly decrypting includes first 
decrypting using a public fob encryption key 
provided by the user on prior registration at the so 
door and then decrypting using a private door 
encryptk>n key generated in the door. 
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PROCESSOR MODULE. 
INCLUDING: 

- PROCESSOR (E.G. RISC). 

- CORRELATOR. 

- REF. IMAGE STORAGE. 

- CYCLIC REDUNDANCY 

CODE GENERATOR, 
~ PRIVATE KEY STORAGE, 

- ENCRYPTION LOGIC. 



WIRELESS TRANSCEIVER 

(OR INTERFACE TO 
OTHER COMMUNICATION 
DEVICE) 
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SENSOR 

(CAPACITIVE. 
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OTHER TYPE) 
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SUPPLY 
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